diff options
| -rw-r--r-- | util/nvmutil/nvmutil.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index 524e678e..26c31d2c 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -57,6 +57,7 @@ void setWord(int pos16, int partnum, uint16_t val16); void byteswap(int n, int partnum); void writeGbeFile(int *fd, const char *filename, size_t nw); void xpledge(const char *promises, const char *execpromises); +void xunveil(const char *path, const char *permissions); #define FILENAME argv[1] #define COMMAND argv[2] @@ -79,7 +80,7 @@ uint8_t big_endian; int main(int argc, char *argv[]) { - xpledge("stdio rpath wpath", NULL); + xpledge("stdio rpath wpath unveil", NULL); size_t nr = 128; int fd, flags = O_RDWR; void (*cmd)(void) = NULL; @@ -92,7 +93,7 @@ main(int argc, char *argv[]) if (argc == 3) { if (strcmp(COMMAND, "dump") == 0) { - xpledge("stdio rpath", NULL); + xpledge("stdio rpath unveil", NULL); flags = O_RDONLY; cmd = &cmd_dump; } else if (strcmp(COMMAND, "setmac") == 0) { @@ -125,16 +126,20 @@ main(int argc, char *argv[]) (cmd == &cmd_setchecksum) | (cmd == &cmd_brick); readGbeFile(&fd, FILENAME, flags, nr); (void)rhex(); - if (flags == O_RDONLY) + xunveil("/dev/urandom", "r"); + if (flags == O_RDONLY) { xpledge("stdio", NULL); - else - xpledge("stdio wpath", NULL); + } else { + xpledge("stdio wpath unveil", NULL); + xunveil(FILENAME, "w"); + } if (strMac != NULL) cmd_setmac(strMac); /* nvm gbe.bin setmac */ else if (cmd != NULL) (*cmd)(); /* all other commands except setmac */ writeGbeFile(&fd, FILENAME, nr); - } + } else + xpledge("stdio", NULL); if ((errno != 0) && (cmd != &cmd_dump)) err(errno, NULL); @@ -381,3 +386,13 @@ xpledge(const char *promises, const char *execpromises) err(errno, NULL); #endif } + +void +xunveil(const char *path, const char *permissions) +{ + (void)path; (void)permissions; +#ifdef __OpenBSD__ + if (unveil(path, permissions) == -1) + err(errno, NULL); +#endif +} |